| 1 |
On Sat, 2006-11-04 16:00 Paul de Vrieze wrote: |
| 2 |
> On Saturday 04 November 2006 12:11, Joe Knall wrote: |
| 3 |
> > can/does mounting a partition with noexec, ro etc. provide |
| 4 |
> > additional security or are those limitations easy to circumvent? |
| 5 |
> > |
| 6 |
> > Example: webserver running chrooted |
| 7 |
> > all libs and executables (apache, lib, usr ...) on read only |
| 8 |
> > mounted partition /srv/www, data dirs (logs, htdocs ...) on |
| 9 |
> > partition /srv/www/data mounted with noexec (but rw of course), no |
| 10 |
> > cgi needed. |
| 11 |
> > Server is started with "chroot /srv/www /apache/bin/httpd -k |
| 12 |
> > start". |
| 13 |
> |
| 14 |
> Besides this, you must also add nodev to prevent those kinds of |
| 15 |
> circumventions |
| 16 |
> |
| 17 |
> Paul |
| 18 |
|
| 19 |
correct, it's atually like this |
| 20 |
/srv/www type ext3 (ro,nosuid,nodev,acl,user_xattr) |
| 21 |
/srv/www/data type ext3 (rw,noexec,nosuid,acl,user_xattr) |
| 22 |
|
| 23 |
but I need a /dev, currently data/dev with null and urandom there, |
| 24 |
writeable and not nodev (could as well be a separate partition). |
| 25 |
Do you think this turns all the rest in vain? |
| 26 |
|
| 27 |
Joe |
| 28 |
-- |
| 29 |
gentoo-security@g.o mailing list |
Archives